This paper is a tutorial introduction to the present state-of-the-art in the field of security of lattice-based cryptosystems. After a short introduction to lattices, we describe the main hard problems in lattice theory that cryptosystems base their security on, and we present the main methods of attacking these hard problems, based on lattice basis reduction. We show how to find shortest vectors in lattices, which can be used to improve basis reduction algorithms. Finally we give a framework for assessing the security of cryptosystems based on these hard problems.

We give easy proofs of some recent results concerning threshold gaps in ramp schemes. We then give a simplified and unified treatment of construction methods for ramp schemes using error-correcting codes. Finally, as an immediate consequence of these results, we provide a new explicit bound on the the minimum length of a code having a specified distance and dual distance.

This article describes the design of an 8-bit coprocessor for the AES (encryption, decryption, and key expansion) and the cryptographic hash function Gr{\\o}stl on several Xilinx FPGAs. Our Arithmetic and Logic Unit performs a single instruction that allows for implementing AES encryption, AES decryption, AES key expansion, and Gr{\\o}stl at all levels of security. Thanks to a careful organization of AES and Gr{\\o}stl internal states in the register file, we manage to generate all read and write addresses by means of a modulo-128 counter and a modulo-256 counter. A fully autonomous implementation of Gr{\\o}stl and AES on a Virtex-6 FPGA requires 169 slices and a single 36k memory block, and achieves a competitive throughput. Assuming that the security guarantees of Gr{\\o}stl are at least as good as the ones of the other SHA-3 finalists, our results show that Gr{\\o}stl is the best candidate for low-area cryptographic coprocessors.

We present a construction of log-depth formulae for various threshold functions based on atomic threshold gates of constant size. From this, we build a new family of linear secret sharing schemes that are multiplicative, scale well as the number of players increases and allows to raise a shared value to the characteristic of the underlying field without interaction. Some of these schemes are in addition strongly multiplicative. Our formulas can also be used to construct multiparty protocols from protocols for a constant number of parties. In particular we implement black-box multiparty computation over non-Abelian groups in a way that is much simpler than previously known and we also show how to get a protocol in this setting that is efficient and actively secure against a constant fraction of corrupted parties, a long standing open problem. Finally, we show a negative result on usage of our scheme for pseudorandom secret sharing as defined by Cramer, Damgård and Ishai.

in presence of tamper-proof hardware tokens. We present a very efficient

protocol for password-based authenticated key exchange based on the weak model of one-time memory tokens, recently introduced by Goldwasser et al. (Crypto~2008). Our protocol only requires four moves, very basic operations, and the sender to send $\\ell$ tokens in the first step for passwords of length $\\ell$. At the same time we achieve information-theoretic security in Canetti\'s universal composition framework (FOCS~2001) against adaptive adversaries (assuming reliable erasure), even if the tokens are not guaranteed to be transferred in an authenticated way, i.e., even if the adversary can read or substitute transmitted tokens (as opposed to many previous efforts).

Abstract We take a closer look at several enhancements of the notion of trapdoor permutations. Specifically, we consider the notions of enhanced trapdoor permutation (Goldreich, Foundation of Cryptography: Basic Applications, 2004) and doubly enhanced trapdoor permutation (Goldreich, Computational Complexity: A Conceptual Perspective, 2011) as well as intermediate notions (Rothblum, A Taxonomy of Enhanced Trapdoor Permutations, 2010). These enhancements arose in the study of Oblivious Transfer and NIZK, but they address natural concerns that may arise also in other applications of trapdoor permutations. We clarify why these enhancements are needed in such applications, and show that they actually suffice for these needs.